Monday, November 18, 2013

Daily Blog #148: Sunday Funday 11/17/13 Winner!

Hello Reader,
        Another Sunday Funday come and gone, a new victor arises to claim the prize! This week I put out a challenge that I know we've covered in different aspects here on the blog, CD Burning artifacts, to see what you would come back with. While some of the responses covered what we've talked about here, some of you went beyond and found additional artifacts! This week the 'earliest most complete submission wins' rule came into effect.The winning answer this week from
Martijn Veken was received at 8:34am central time beating the other great submissions by hours.

The Challenge:
     Your client has given you three CDROMs that contain their tradesecrets. They want to determine as much information as possible about the CDs to determine:
1. Which system burned them
2. What software created the CDs
3. When they were burned
4. If there were other CDs burned
5. Which user burned the CDs

The client is a small company with 5 systems of which you've been given access to all of them. Each of the 5 systems runs Windows 7.

The Winning Answer:


Martijn Veken



1. Which system burned them
If you figured out at what time the CD’s were burned (see answer 3), check the system eventlog for event id 133, this indicates that files were burned to CD using Windows Explorer. If so, in the registry under key ”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\StagingInfo”, there are keys indicating where files were staged before they were burned to the CD. You can use file system forensics to investigate what was in the folder to try to match them to the disc. You can also check the timestamp of the registry key to see at what time it was written to search more specifically.

If another tool was used, there are clues on which tool this was on the CD (see step 2). Look for indications in the prefetch, RunMRU and user assist to see if the tool has run on the system. If the tool is or used to be present, look for the temp folders or log files it produces to see if you can match it to the CD.

2. What software created the CDs
If it’s ISO9660, usually the name of the application that has created the CD is in the session start section, somewhere just after 0x8000.

3. When they were burned
If it’s ISO9660, there are a couple of timestamps indicating the time of burn in the session start section. If you have figured out on which system the discs were created, check eventlog to see if there are any events (event id 1) that indicate that the system time was changed prior to burning the disc.

4. If there were other CDs burned
If the CD’s have been burned with Windows explorer, there will be events with id 133 in the eventlog. In the registry key described in step 1 will be entries for staging folders. Examine these forensically to see if there are residues of files there.

Other burning applications also usually have a temp or staging folder for burning CD’s. You can check these folders for residues indicating that files have been burned to a CD.

5. Which user burned the CDs
In most cases, the location of the log or staging files in the users AppData folder will indicate which user created the CD’s.

If not, use the time that the CD was created to check the security event log for audit events that indicate which user was logged on to the system at the time of the creation of the CD’s. To burn a disk, a user usually needs to logon physically to the system, so look for logons of types 2 and 7 prior to burning the disc.

Make some time for next week's Sunday Funday and you too can win a prize worth researching for!